OpenEXR Use-After-Free Vulnerability in PyObject_StealAttrString

A use-after-free vulnerability has been identified in the OpenEXR Python bindings, specifically in versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2. The issue arises in the legacy adapter's implementation of PyObject_StealAttrString, which retrieves a new reference to a Python object attribute, immediately decrements the reference count, and returns the pointer. This creates a dangling pointer that can be passed to functions like PyLong_AsLong or PyFloat_AsDouble, leading to a use-after-free condition. The vulnerability is triggered in several scenarios, such as when reading certain attributes related to pixel types and box dimensions.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a Python script that uses the OpenEXR library to open an EXR file. The script should define a class that simulates a fresh integer, which is then used to exploit the use-after-free condition by accessing a pixel type attribute through the vulnerable PyObject_StealAttrString function. This dangling pointer can be passed to other Python APIs, triggering the use-after-free and causing a segmentation fault, which indicates a crash due to memory corruption.

Remediation

Users can upgrade to OpenEXR versions 3.2.5, 3.3.6, or 3.4.3, where this vulnerability has been fixed.